OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

saml-dev message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: RE: [saml-dev] Question related to Subject Confirmation in SAML

An important innovation of SAML was to distinguish between Authentication, which typically involves interaction with a human being and only occurs once per session and what we named Subject Confirmation which binds the information in assertions to the party in question (by binding it to the message or session)  and is usually machine to machine and can happen as often as every message.


Earlier schemes, such as Kerberos and X.500-based PKI assumed that the same (strong) methods would be used for both. The SS TC recognized that many existing environments would constrain the methods that could be used for either and often a given scenario, e.g. Web SSO would require the use of distinct methods for each. Decoupling them also makes it easier to convert to stronger methods over time, since for example, a change to subject confirmation would not generally be visible to users.


There are three types of Subject Confirmation defined by SAML: Bearer, Sender Vouches and Holder of Key. Their semantics are defined in section 3 of the Profiles specification. (http://docs.oasis-open.org/security/saml/v2.0/saml-profiles-2.0-os.pdf). All of the Web SSO Profiles use Bearer, which essentially means that the binding between the assertion and the message or session is based on weak (non-cryptographic) mechanisms, such as http redirects. Note that the Authentication Request Protocol, which is used by the Web SSO profiles, requires that when Bearer is used, Audience Restriction must be specified. This is intended to allow SPs to detect that the assertion presented was intended for some other SP.


The use of the Holder of Key allows a SAML assertion to function in a manner very similar to an X.509 certificate, except that symmetric as well as asymmetric encryption methods may be used and many other features, such as certificate hierarchies and revocation methods were not defined. Sender Vouches and Holder of Key are used in various WS-Security Profiles.




From: Security Developer [mailto:security.developer22@gmail.com]
Sent: Tuesday, March 18, 2014 1:54 AM
To: SAML Dev
Subject: [saml-dev] Question related to Subject Confirmation in SAML


Dear all,

I am little confused about the subject confirmation working in SAML. I like to know, How subject conformation works in SAML using WebSSO profile?

Thanks for your time.

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]